Home > CAPEC List > CAPEC-105: HTTP Request Splitting (Version 3.0)  

CAPEC-105: HTTP Request Splitting

Attack Pattern ID: 105
Abstraction: Standard
Status: Draft
Presentation Filter:
+ Description
HTTP Request Splitting (also known as HTTP Request Smuggling) is an attack pattern where an attacker attempts to insert additional HTTP requests in the body of the original (enveloping) HTTP request in such a way that the browser interprets it as one request but the web server interprets it as two. There are several ways to perform HTTP request splitting attacks. One way is to include double Content-Length headers in the request to exploit the fact that the devices parsing the request may each use a different header. Another way is to submit an HTTP request with a "Transfer Encoding: chunked" in the request header set with setRequestHeader to allow a payload in the HTTP Request that can be considered as another HTTP Request by a subsequent parsing entity. A third way is to use the "Double CR in an HTTP header" technique. There are also a few less general techniques targeting specific parsing vulnerabilities in certain web servers.
+ Likelihood Of Attack

Medium

+ Typical Severity

High

+ Relationships

The table(s) below shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

+ Relevant to the view "Mechanisms of Attack" (CAPEC-1000)
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.220Client-Server Protocol Manipulation
+ Execution Flow
Explore
  1. Investigate Target Environment: Determine the technologies used in the target environment such as types of browsers, web servers, application firewalls, proxies, etc. Investigation of the target environment to determine the types of technologies used to parse the incoming HTTP requests. Attempt to understand how HTTP Request headers are parsed

    Techniques
    Investigation of the target environment to determine the types of technologies used to parse the incoming HTTP requests. Attempt to understand how HTTP Request headers are parsed
Exploit
  1. Post a malicious HTTP Request: Post a malicious HTTP request that will be interpreted as multiple HTTP requests when parsed on the server Post a malicious HTTP Request utilizing double CR/LF characters in HTTP header to cause request splitting Post a malicious HTTP Request utilizing "Transfer Encoding: chunked" in the request header to cause request splitting Post a malicious HTTP Request utilizing double Content-Length headers to cause request splitting

    Techniques
    Post a malicious HTTP Request utilizing double CR/LF characters in HTTP header to cause request splitting
    Post a malicious HTTP Request utilizing "Transfer Encoding: chunked" in the request header to cause request splitting
    Post a malicious HTTP Request utilizing double Content-Length headers to cause request splitting
+ Prerequisites
User-manipulateable HTTP Request headers are processed by the web server
+ Skills Required
[Level: Medium]
Good understanding of the HTTP protocol and the parsing mechanisms employed by various web servers
+ Resources Required
A tool that allows for the sending of customized HTTP requests is required.
+ Consequences

The table below specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

ScopeImpactLikelihood
Confidentiality
Integrity
Availability
Execute Unauthorized Commands
Confidentiality
Access Control
Authorization
Gain Privileges
Confidentiality
Read Data
Integrity
Modify Data
+ Mitigations
Make sure to install the latest vendor security patches available for the web server.
If possible, make use of SSL.
Install a web application firewall that has been secured against HTTP Request Splitting
Use web servers that employ a tight HTTP parsing process
+ Example Instances

Microsoft Internet Explorer versions 5.01 SP4 and prior, 6.0 SP2 and prior, and 7.0 contain a vulnerability that could allow an unauthenticated, remote attacker to conduct HTTP request splitting and smuggling attacks.

The vulnerability is due to an input validation error in the browser that allows attackers to manipulate certain headers to expose the browser to HTTP request splitting and smuggling attacks. Attacks may include cross-site scripting, proxy cache poisoning, and session fixation. In certain instances, an exploit could allow the attacker to bypass web application firewalls or other filtering devices.

Microsoft has confirmed the vulnerability and released software updates

+ Memberships
This MemberOf Relationships table shows additional CAPEC Categories and Views that reference this attack pattern as a member. This information is often useful in understanding where a attack pattern fits within the context of external information sources.
NatureTypeIDName
MemberOfCategoryCategory - A category in CAPEC is a collection of attack patterns based on some common characteristic. More specifically, it is an aggregation of attack patterns based on effect/intent (as opposed to actions or mechanisms, such an aggregation would be a meta attack pattern). An aggregation based on effect/intent is not an actionable attack and as such is not a pattern of attack behavior. Rather, it is a grouping of patterns based on some common criteria.357WASC-24 - HTTP Request Splitting
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2017-08-04CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns, Resources_Required

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018